Change denial type to enum

For now we only allow DNS_DB_NSEC_* values so it makes sense to change the type to an enum. Rename 'denial' to the more intuitive 'space', indicating the namespace of the keyvalue pair.
2025-08-28 13:08:06 +00:00 · 2025-05-26 17:36:33 +02:00 · 2025-05-26 17:36:33 +02:00 · e052e14b40
commit e052e14b40
parent 61f8886fc3
8 changed files with 185 additions and 177 deletions
--- a/fuzz/dns_qpkey_name.c
+++ b/fuzz/dns_qpkey_name.c
@ -43,7 +43,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	dns_name_t *namein, *nameout, *namecmp;
 	isc_buffer_t buf;
 	dns_qpkey_t key, cmp;
-	uint8_t denial;
+	dns_namespace_t space;
 	namein = dns_fixedname_initname(&fixedin);
 	nameout = dns_fixedname_initname(&fixedout);
@ -57,10 +57,10 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	/* verify round-trip conversion of first name */
 	size_t keylen = dns_qpkey_fromname(key, namein, 0);
-	dns_qpkey_toname(key, keylen, nameout, &denial);
+	dns_qpkey_toname(key, keylen, nameout, &space);
 	assert(dns_name_equal(namein, nameout));
-	assert(denial == 0);
+	assert(space == 0);
 	/* is there a second name? */
 	CHECK(dns_name_fromwire(namecmp, &buf, DNS_DECOMPRESS_NEVER, NULL));
@ -74,7 +74,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 	assert((namerel < 0) == (keyrel < 0));
 	assert((namerel == 0) == (keyrel == 0));
 	assert((namerel > 0) == (keyrel > 0));
-	assert(denial == 0);
+	assert(space == 0);
 	return 0;
 }
--- a/lib/dns/include/dns/db.h
+++ b/lib/dns/include/dns/db.h
@ -233,14 +233,15 @@ struct dns_dbonupdatelistener {
 };
 /*%
- * Used in composite databases such as RBTDB to indicate whether a node
+ * Used in QP keys to indicate whether a node is in a special namespace
- * exists in a specal tree for NSEC or NSEC3.
+ * such as NSEC or NSEC3. These values will be mapped to characters at
 * the beginning of the key, converting them to '0', '1', and '2'.
 */
-enum {
+typedef enum {
-	DNS_DB_NSEC_NORMAL = 0, /* in main tree */
+	DNS_DB_NSEC_NORMAL = 0, /* regular namespace */
-	DNS_DB_NSEC_NSEC = 2,	/* in nsec tree */
+	DNS_DB_NSEC_NSEC = 1,	/* nsec namespace */
-	DNS_DB_NSEC_NSEC3 = 3	/* in nsec3 tree */
+	DNS_DB_NSEC_NSEC3 = 2,	/* nsec3 namespace */
-};
+} dns_namespace_t;
 /*@{*/
 /*%
--- a/lib/dns/include/dns/qp.h
+++ b/lib/dns/include/dns/qp.h
@ -86,6 +86,7 @@
 #include <isc/attributes.h>
 #include <dns/db.h>
 #include <dns/name.h>
 #include <dns/types.h>
@ -183,7 +184,7 @@ typedef union dns_qpreadable {
 * common hostname character; otherwise unusual characters are escaped,
 * using two bytes in the key. Because the maximum label length is 63
 * characters, the actual max is (255 - 5) * 2 + 6 == 506. Then, we need
- * one more byte to prepend the denial of existence value.
+ * one more byte to prepend the namespace.
 *
 * Note: this gives us 5 bytes available space to store more data.
 */
@ -473,13 +474,14 @@ dns_qpmulti_memusage(dns_qpmulti_t *multi);
 */
 size_t
-dns_qpkey_fromname(dns_qpkey_t key, const dns_name_t *name, uint8_t denial);
+dns_qpkey_fromname(dns_qpkey_t key, const dns_name_t *name,
 		   dns_namespace_t space);
 /*%<
 * Convert a DNS name into a trie lookup key.
 *
- * If 'denial' is DNS_DB_NSEC_NORMAL (0), convert the name for a NSEC lookup.
+ * If 'space' is DNS_DB_NSEC_NORMAL (0), convert the name for a normal lookup.
- * If 'denial' is DNS_DB_NSEC_NSEC, convert the name for a NSEC lookup.
+ * If 'space' is DNS_DB_NSEC_NSEC, convert the name for a NSEC lookup.
- * If 'denial' is DNS_DB_NSEC_NSEC3, convert the name for a NSEC3 lookup.
+ * If 'space' is DNS_DB_NSEC_NSEC3, convert the name for a NSEC3 lookup.
 *
 * Requires:
 * \li  `name` is a pointer to a valid `dns_name_t`
@ -493,11 +495,11 @@ dns_qpkey_fromname(dns_qpkey_t key, const dns_name_t *name, uint8_t denial);
 void
 dns_qpkey_toname(const dns_qpkey_t key, size_t keylen, dns_name_t *name,
-		 uint8_t *denial);
+		 dns_namespace_t *space);
 /*%<
 * Convert a trie lookup key back into a DNS name.
 *
- * 'denial' stores whether the key is for a normal name, or denial of existence.
+ * 'space' stores whether the key is for a normal name, or denial of existence.
 *
 * Requires:
 * \li  `name` is a pointer to a valid `dns_name_t`
@ -524,10 +526,10 @@ dns_qp_getkey(dns_qpreadable_t qpr, const dns_qpkey_t search_key,
 */
 isc_result_t
-dns_qp_getname(dns_qpreadable_t qpr, const dns_name_t *name, uint8_t denial,
+dns_qp_getname(dns_qpreadable_t qpr, const dns_name_t *name,
-	       void **pval_r, uint32_t *ival_r);
+	       dns_namespace_t space, void **pval_r, uint32_t *ival_r);
 /*%<
- * Find a leaf in a qp-trie that matches the given DNS name, and denial value.
+ * Find a leaf in a qp-trie that matches the given DNS name, and namespace.
 *
 * The leaf values are assigned to whichever of `*pval_r` and `*ival_r`
 * are not null, unless the return value is ISC_R_NOTFOUND.
@ -586,11 +588,11 @@ dns_qp_lookup(dns_qpreadable_t qpr, const dns_name_t *name,
 */
 isc_result_t
-dns_qp_lookup2(dns_qpreadable_t qpr, const dns_name_t *name, uint8_t denial,
+dns_qp_lookup2(dns_qpreadable_t qpr, const dns_name_t *name,
-	       dns_name_t *foundname, dns_qpiter_t *iter, dns_qpchain_t *chain,
+	       dns_namespace_t space, dns_name_t *foundname, dns_qpiter_t *iter,
-	       void **pval_r, uint32_t *ival_r);
+	       dns_qpchain_t *chain, void **pval_r, uint32_t *ival_r);
 /*%<
- * The same as 'dns_qp_lookup', but with the possibility to set a denial value,
+ * The same as 'dns_qp_lookup', but with the possibility to set a namespace,
 * either DNS_DB_NSEC_NORMAL (or 0, which is the equivalent of 'dns_qp_lookup'),
 * DNS_DB_NSEC_NSEC, OR DNS_DB_NSEC3.
 */
@ -629,11 +631,10 @@ dns_qp_deletekey(dns_qp_t *qp, const dns_qpkey_t key, size_t keylen,
 */
 isc_result_t
-dns_qp_deletename(dns_qp_t *qp, const dns_name_t *name, uint8_t denial,
+dns_qp_deletename(dns_qp_t *qp, const dns_name_t *name, dns_namespace_t space,
 		  void **pval_r, uint32_t *ival_r);
 /*%<
- * Delete a leaf from a qp-trie that matches the given DNS name, and denial
+ * Delete a leaf from a qp-trie that matches the given DNS name, and namespace.
 * value.
 *
 * The leaf values are assigned to whichever of `*pval_r` and `*ival_r`
 * are not null, unless the return value is ISC_R_NOTFOUND.
--- a/lib/dns/qp.c
+++ b/lib/dns/qp.c
@ -41,7 +41,6 @@
 #include <isc/urcu.h>
 #include <isc/util.h>
 #include <dns/db.h>
 #include <dns/fixedname.h>
 #include <dns/name.h>
 #include <dns/qp.h>
@ -117,9 +116,14 @@ ISC_REFCOUNT_STATIC_DECL(dns_qpmulti);
 */
 /*
- * An offset for the denial value.
+ * Convert the namespace value. We map namespace values to numerical
 * digits so they can be represented in a single byte in the QP key;
 * thus namespace 0 becomes '0', etc.
 */
-#define DENIAL_OFFSET 48
+#define ENCODE_NAMESPACE(c) dns_qp_bits_for_byte[(c) + (uint8_t)'0']
 #define DECODE_NAMESPACE(c) dns_qp_byte_for_bit[(c)] - (uint8_t)'0'
 #define NAME_OFFSET 1
 /*
 * Number of distinct byte values, i.e. 256
@ -234,16 +238,16 @@ dns__qp_shutdown(void) {
 * dot in a zone file).
 */
 size_t
-dns_qpkey_fromname(dns_qpkey_t key, const dns_name_t *name, uint8_t denial) {
+dns_qpkey_fromname(dns_qpkey_t key, const dns_name_t *name,
 		   dns_namespace_t space) {
 	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
 	REQUIRE(denial <= DNS_DB_NSEC_NSEC3);
 	dns_offsets_t offsets;
 	size_t labels = dns_name_offsets(name, offsets);
 	size_t len = 0;
-	/* denial? */
+	/* namespace */
-	key[len++] = dns_qp_bits_for_byte[denial + DENIAL_OFFSET];
+	key[len++] = ENCODE_NAMESPACE(space);
 	/* name */
 	if (labels == 0) {
 		key[len] = SHIFT_NOBYTE;
@ -272,10 +276,10 @@ dns_qpkey_fromname(dns_qpkey_t key, const dns_name_t *name, uint8_t denial) {
 void
 dns_qpkey_toname(const dns_qpkey_t key, size_t keylen, dns_name_t *name,
-		 uint8_t *denial) {
+		 dns_namespace_t *space) {
 	size_t locs[DNS_NAME_MAXLABELS];
 	size_t loc = 0;
-	size_t offset;
+	size_t offset = 0;
 	REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
 	REQUIRE(name->buffer != NULL);
@ -283,14 +287,14 @@ dns_qpkey_toname(const dns_qpkey_t key, size_t keylen, dns_name_t *name,
 	dns_name_reset(name);
-	SET_IF_NOT_NULL(denial, dns_qp_byte_for_bit[key[0]] - DENIAL_OFFSET);
+	SET_IF_NOT_NULL(space, DECODE_NAMESPACE(key[offset++]));
-	if (keylen == 1) {
+	if (keylen == NAME_OFFSET) {
 		return;
 	}
 	/* Scan the key looking for label boundaries */
-	for (offset = 1; offset <= keylen; offset++) {
+	for (; offset <= keylen; offset++) {
 		INSIST(key[offset] >= SHIFT_NOBYTE &&
 		       key[offset] < SHIFT_OFFSET);
 		INSIST(loc < DNS_NAME_MAXLABELS);
@ -301,7 +305,7 @@ dns_qpkey_toname(const dns_qpkey_t key, size_t keylen, dns_name_t *name,
 				goto scanned;
 			}
 			locs[loc++] = offset + 1;
-		} else if (offset == 1) {
+		} else if (offset == NAME_OFFSET) {
 			/* This happens for a relative name */
 			locs[loc++] = offset;
 		}
@ -344,7 +348,7 @@ scanned:
 	}
 	/* Add a root label for absolute names */
-	if (key[1] == SHIFT_NOBYTE) {
+	if (key[NAME_OFFSET] == SHIFT_NOBYTE) {
 		name->attributes.absolute = true;
 		isc_buffer_putuint8(name->buffer, 0);
 		name->length++;
@ -1840,10 +1844,10 @@ dns_qp_deletekey(dns_qp_t *qp, const dns_qpkey_t search_key,
 }
 isc_result_t
-dns_qp_deletename(dns_qp_t *qp, const dns_name_t *name, uint8_t denial,
+dns_qp_deletename(dns_qp_t *qp, const dns_name_t *name, dns_namespace_t space,
 		  void **pval_r, uint32_t *ival_r) {
 	dns_qpkey_t key;
-	size_t keylen = dns_qpkey_fromname(key, name, denial);
+	size_t keylen = dns_qpkey_fromname(key, name, space);
 	return dns_qp_deletekey(qp, key, keylen, pval_r, ival_r);
 }
@ -2103,10 +2107,10 @@ dns_qp_getkey(dns_qpreadable_t qpr, const dns_qpkey_t search_key,
 }
 isc_result_t
-dns_qp_getname(dns_qpreadable_t qpr, const dns_name_t *name, uint8_t denial,
+dns_qp_getname(dns_qpreadable_t qpr, const dns_name_t *name,
-	       void **pval_r, uint32_t *ival_r) {
+	       dns_namespace_t space, void **pval_r, uint32_t *ival_r) {
 	dns_qpkey_t key;
-	size_t keylen = dns_qpkey_fromname(key, name, denial);
+	size_t keylen = dns_qpkey_fromname(key, name, space);
 	return dns_qp_getkey(qpr, key, keylen, pval_r, ival_r);
 }
@ -2281,9 +2285,9 @@ fix_chain(dns_qpchain_t *chain, size_t offset) {
 }
 isc_result_t
-dns_qp_lookup2(dns_qpreadable_t qpr, const dns_name_t *name, uint8_t denial,
+dns_qp_lookup2(dns_qpreadable_t qpr, const dns_name_t *name,
-	       dns_name_t *foundname, dns_qpiter_t *iter, dns_qpchain_t *chain,
+	       dns_namespace_t space, dns_name_t *foundname, dns_qpiter_t *iter,
-	       void **pval_r, uint32_t *ival_r) {
+	       dns_qpchain_t *chain, void **pval_r, uint32_t *ival_r) {
 	dns_qpreader_t *qp = dns_qpreader(qpr);
 	dns_qpkey_t search, found;
 	size_t searchlen, foundlen;
@ -2298,7 +2302,7 @@ dns_qp_lookup2(dns_qpreadable_t qpr, const dns_name_t *name, uint8_t denial,
 	REQUIRE(QP_VALID(qp));
 	REQUIRE(foundname == NULL || ISC_MAGIC_VALID(name, DNS_NAME_MAGIC));
-	searchlen = dns_qpkey_fromname(search, name, denial);
+	searchlen = dns_qpkey_fromname(search, name, space);
 	if (chain == NULL) {
 		chain = &oc;
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@ -150,7 +150,7 @@ struct qpcnode {
 	uint8_t			: 0;
 	unsigned int delegating : 1;
-	unsigned int nsec	: 2; /*%< range is 0..3 */
+	unsigned int nspace	: 2; /*%< range is 0..3 */
 	unsigned int havensec	: 1;
 	uint8_t			: 0;
@ -358,7 +358,7 @@ static size_t
 qp_makekey(dns_qpkey_t key, void *uctx ISC_ATTR_UNUSED, void *pval,
 	   uint32_t ival ISC_ATTR_UNUSED) {
 	qpcnode_t *data = pval;
-	return dns_qpkey_fromname(key, &data->name, data->nsec);
+	return dns_qpkey_fromname(key, &data->name, data->nspace);
 }
 static void
@ -603,7 +603,7 @@ delete_node(qpcache_t *qpdb, qpcnode_t *node) {
 			      printname, node->locknum);
 	}
-	switch (node->nsec) {
+	switch (node->nspace) {
 	case DNS_DB_NSEC_NORMAL:
 		if (node->havensec) {
 			/*
@ -622,12 +622,12 @@ delete_node(qpcache_t *qpdb, qpcnode_t *node) {
 					      isc_result_totext(result));
 			}
 		}
-		result = dns_qp_deletename(qpdb->tree, &node->name, node->nsec,
+		result = dns_qp_deletename(qpdb->tree, &node->name,
-					   NULL, NULL);
+					   node->nspace, NULL, NULL);
 		break;
 	case DNS_DB_NSEC_NSEC:
-		result = dns_qp_deletename(qpdb->nsec, &node->name, node->nsec,
+		result = dns_qp_deletename(qpdb->nsec, &node->name,
-					   NULL, NULL);
+					   node->nspace, NULL, NULL);
 		break;
 	}
 	if (result != ISC_R_SUCCESS) {
@ -2352,10 +2352,10 @@ qpcache_findnode(dns_db_t *db, const dns_name_t *name, bool create,
 	qpcnode_t *node = NULL;
 	isc_result_t result;
 	isc_rwlocktype_t tlocktype = isc_rwlocktype_none;
-	uint8_t dopt = DNS_DB_NSEC_NORMAL;
+	dns_namespace_t dopt = DNS_DB_NSEC_NORMAL;
 	TREE_RDLOCK(&qpdb->tree_lock, &tlocktype);
-	result = dns_qp_getname(qpdb->tree, name, dopt, (void **)&node, NULL);
+	result = dns_qp_getname(qpdb->tree, name, nspace, (void **)&node, NULL);
 	if (result != ISC_R_SUCCESS) {
 		if (!create) {
 			goto unlock;
@ -2364,11 +2364,11 @@ qpcache_findnode(dns_db_t *db, const dns_name_t *name, bool create,
 		 * Try to upgrade the lock and if that fails unlock then relock.
 		 */
 		TREE_FORCEUPGRADE(&qpdb->tree_lock, &tlocktype);
-		result = dns_qp_getname(qpdb->tree, name, dopt, (void **)&node,
+		result = dns_qp_getname(qpdb->tree, name, nspace,
-					NULL);
+					(void **)&node, NULL);
 		if (result != ISC_R_SUCCESS) {
 			node = new_qpcnode(qpdb, name);
-			node->nsec = dopt;
+			node->nspace = dopt;
 			result = dns_qp_insert(qpdb->tree, node, 0);
 			INSIST(result == ISC_R_SUCCESS);
 			qpcnode_unref(node);
@ -3050,7 +3050,7 @@ qpcache_addrdataset(dns_db_t *db, dns_dbnode_t *node, dns_dbversion_t *version,
 		if (result != ISC_R_SUCCESS) {
 			INSIST(nsecnode == NULL);
 			nsecnode = new_qpcnode(qpdb, name);
-			nsecnode->nsec = DNS_DB_NSEC_NSEC;
+			nsecnode->nspace = DNS_DB_NSEC_NSEC;
 			result = dns_qp_insert(qpdb->nsec, nsecnode, 0);
 			INSIST(result == ISC_R_SUCCESS);
 			qpcnode_detach(&nsecnode);
--- a/lib/dns/qpzone.c
+++ b/lib/dns/qpzone.c
@ -203,7 +203,7 @@ struct qpznode {
 	isc_refcount_t erefs;
 	uint16_t locknum;
-	atomic_uint_fast8_t nsec;
+	_Atomic(dns_namespace_t) nspace;
 	atomic_bool havensec;
 	atomic_bool wild;
 	atomic_bool delegating;
@ -767,7 +767,7 @@ dns__qpzone_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
 	 * we simply remember the node data's address.
 	 */
 	qpdb->origin = new_qpznode(qpdb, &qpdb->common.origin);
-	qpdb->origin->nsec = DNS_DB_NSEC_NORMAL;
+	qpdb->origin->nspace = DNS_DB_NSEC_NORMAL;
 	result = dns_qp_insert(qp, qpdb->origin, 0);
 	INSIST(result == ISC_R_SUCCESS);
@ -776,7 +776,7 @@ dns__qpzone_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
 	 * the NSEC nodes while iterating over the full tree.
 	 */
 	qpdb->nsec_origin = new_qpznode(qpdb, &qpdb->common.origin);
-	qpdb->nsec_origin->nsec = DNS_DB_NSEC_NSEC;
+	qpdb->nsec_origin->nspace = DNS_DB_NSEC_NSEC;
 	result = dns_qp_insert(qp, qpdb->nsec_origin, 0);
 	INSIST(result == ISC_R_SUCCESS);
@ -786,7 +786,7 @@ dns__qpzone_create(isc_mem_t *mctx, const dns_name_t *origin, dns_dbtype_t type,
 	 * record in the tree.
 	 */
 	qpdb->nsec3_origin = new_qpznode(qpdb, &qpdb->common.origin);
-	qpdb->nsec3_origin->nsec = DNS_DB_NSEC_NSEC3;
+	qpdb->nsec3_origin->nspace = DNS_DB_NSEC_NSEC3;
 	result = dns_qp_insert(qp, qpdb->nsec3_origin, 0);
 	INSIST(result == ISC_R_SUCCESS);
@ -1718,7 +1718,7 @@ loading_addnode(qpz_load_t *loadctx, const dns_name_t *name,
 			*nodep = node;
 		} else {
 			node = new_qpznode(qpdb, name);
-			node->nsec = DNS_DB_NSEC_NSEC3;
+			node->nspace = DNS_DB_NSEC_NSEC3;
 			result = dns_qp_insert(loadctx->tree, node, 0);
 			INSIST(result == ISC_R_SUCCESS);
 			*nodep = node;
@ -1736,7 +1736,7 @@ loading_addnode(qpz_load_t *loadctx, const dns_name_t *name,
 	} else {
 		INSIST(node == NULL);
 		node = new_qpznode(qpdb, name);
-		node->nsec = DNS_DB_NSEC_NORMAL;
+		node->nspace = DNS_DB_NSEC_NORMAL;
 		result = dns_qp_insert(loadctx->tree, node, 0);
 		INSIST(result == ISC_R_SUCCESS);
 		qpznode_unref(node);
@ -1755,7 +1755,7 @@ loading_addnode(qpz_load_t *loadctx, const dns_name_t *name,
 	 */
 	node->havensec = true;
 	nsecnode = new_qpznode(qpdb, name);
-	nsecnode->nsec = DNS_DB_NSEC_NSEC;
+	nsecnode->nspace = DNS_DB_NSEC_NSEC;
 	(void)dns_qp_insert(loadctx->tree, nsecnode, 0);
 	qpznode_detach(&nsecnode);
@ -2120,7 +2120,7 @@ add(qpzonedb_t *qpdb, qpznode_t *node, const dns_name_t *nodename,
 static void
 wildcardmagic(qpzonedb_t *qpdb, dns_qp_t *qp, const dns_name_t *name,
-	      uint8_t denial) {
+	      dns_namespace_t nspace) {
 	isc_result_t result;
 	dns_name_t foundname;
 	unsigned int n;
@ -2133,11 +2133,11 @@ wildcardmagic(qpzonedb_t *qpdb, dns_qp_t *qp, const dns_name_t *name,
 	dns_name_getlabelsequence(name, 1, n, &foundname);
 	/* insert an empty node, if needed, to hold the wildcard bit */
-	result = dns_qp_getname(qp, &foundname, denial, (void **)&node, NULL);
+	result = dns_qp_getname(qp, &foundname, nspace, (void **)&node, NULL);
 	if (result != ISC_R_SUCCESS) {
 		INSIST(node == NULL);
 		node = new_qpznode(qpdb, &foundname);
-		node->nsec = denial;
+		node->nspace = nspace;
 		result = dns_qp_insert(qp, node, 0);
 		INSIST(result == ISC_R_SUCCESS);
 		qpznode_unref(node);
@ -2148,7 +2148,7 @@ wildcardmagic(qpzonedb_t *qpdb, dns_qp_t *qp, const dns_name_t *name,
 static void
 addwildcards(qpzonedb_t *qpdb, dns_qp_t *qp, const dns_name_t *name,
-	     uint8_t denial) {
+	     dns_namespace_t nspace) {
 	dns_name_t foundname;
 	unsigned int n, l, i;
@ -2159,7 +2159,7 @@ addwildcards(qpzonedb_t *qpdb, dns_qp_t *qp, const dns_name_t *name,
 	while (i < n) {
 		dns_name_getlabelsequence(name, n - i, i, &foundname);
 		if (dns_name_iswildcard(&foundname)) {
-			wildcardmagic(qpdb, qp, &foundname, denial);
+			wildcardmagic(qpdb, qp, &foundname, nspace);
 		}
 		i++;
@ -2548,7 +2548,7 @@ findnodeintree(qpzonedb_t *qpdb, const dns_name_t *name, bool create,
 	       bool nsec3, dns_dbnode_t **nodep DNS__DB_FLARG) {
 	isc_result_t result;
 	qpznode_t *node = NULL;
-	uint8_t denial = nsec3 ? DNS_DB_NSEC_NSEC3 : DNS_DB_NSEC_NORMAL;
+	dns_namespace_t nspace = nsec3 ? DNS_DB_NSEC_NSEC3 : DNS_DB_NSEC_NORMAL;
 	dns_qpread_t qpr = { 0 };
 	dns_qp_t *qp = NULL;
@ -2559,7 +2559,7 @@ findnodeintree(qpzonedb_t *qpdb, const dns_name_t *name, bool create,
 		qp = (dns_qp_t *)&qpr;
 	}
-	result = dns_qp_getname(qp, name, denial, (void **)&node, NULL);
+	result = dns_qp_getname(qp, name, nspace, (void **)&node, NULL);
 	if (result != ISC_R_SUCCESS) {
 		if (!create) {
 			dns_qpread_destroy(qpdb->tree, &qpr);
@ -2567,20 +2567,20 @@ findnodeintree(qpzonedb_t *qpdb, const dns_name_t *name, bool create,
 		}
 		node = new_qpznode(qpdb, name);
-		node->nsec = denial;
+		node->nspace = nspace;
 		result = dns_qp_insert(qp, node, 0);
 		INSIST(result == ISC_R_SUCCESS);
 		qpznode_unref(node);
 		if (!nsec3) {
-			addwildcards(qpdb, qp, name, denial);
+			addwildcards(qpdb, qp, name, nspace);
 			if (dns_name_iswildcard(name)) {
-				wildcardmagic(qpdb, qp, name, denial);
+				wildcardmagic(qpdb, qp, name, nspace);
 			}
 		}
 	}
-	INSIST(node->nsec == DNS_DB_NSEC_NSEC3 || !nsec3);
+	INSIST(node->nspace == DNS_DB_NSEC_NSEC3 || !nsec3);
 	qpznode_acquire(qpdb, node DNS__DB_FLARG_PASS);
@ -2877,7 +2877,7 @@ wildcard_blocked(qpz_search_t *search, const dns_name_t *qname,
 static isc_result_t
 find_wildcard(qpz_search_t *search, qpznode_t **nodep, const dns_name_t *qname,
-	      uint8_t denial) {
+	      dns_namespace_t nspace) {
 	dns_slabheader_t *header = NULL;
 	isc_result_t result = ISC_R_NOTFOUND;
@ -2934,7 +2934,7 @@ find_wildcard(qpz_search_t *search, qpznode_t **nodep, const dns_name_t *qname,
 				break;
 			}
-			result = dns_qp_lookup2(&search->qpr, wname, denial,
+			result = dns_qp_lookup2(&search->qpr, wname, nspace,
 						NULL, &wit, NULL,
 						(void **)&wnode, NULL);
 			if (result == ISC_R_SUCCESS) {
@ -3447,23 +3447,23 @@ qpzone_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
 		close_version = true;
 	}
-	uint8_t denial;
+	dns_namespace_t nspace;
 	qpz_search_t search;
 	qpz_search_init(&search, (qpzonedb_t *)db, (qpz_version_t *)version,
 			options);
 	if ((options & DNS_DBFIND_FORCENSEC3) != 0) {
 		nsec3 = true;
-		denial = DNS_DB_NSEC_NSEC3;
+		nspace = DNS_DB_NSEC_NSEC3;
 	} else {
-		denial = DNS_DB_NSEC_NORMAL;
+		nspace = DNS_DB_NSEC_NORMAL;
 	}
 	dns_qpmulti_query(qpdb->tree, &search.qpr);
 	/*
 	 * Search down from the root of the tree.
 	 */
-	result = dns_qp_lookup2(&search.qpr, name, denial, NULL, &search.iter,
+	result = dns_qp_lookup2(&search.qpr, name, nspace, NULL, &search.iter,
 				&search.chain, (void **)&node, NULL);
 	if (result != ISC_R_NOTFOUND) {
 		dns_name_copy(&node->name, foundname);
@ -3510,7 +3510,7 @@ qpzone_find(dns_db_t *db, const dns_name_t *name, dns_dbversion_t *version,
 			 * we must see if there's a matching wildcard active
 			 * in the current version.
 			 */
-			result = find_wildcard(&search, &node, name, denial);
+			result = find_wildcard(&search, &node, name, nspace);
 			if (result == ISC_R_SUCCESS) {
 				dns_name_copy(name, foundname);
 				wild = true;
@ -4310,7 +4310,7 @@ dbiterator_first(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 			 * If we immediately hit an NSEC/NSEC3 node,
 			 * we don't have any non-nsec nodes.
 			 */
-			if (qpdbiter->node->nsec != DNS_DB_NSEC_NORMAL) {
+			if (qpdbiter->node->nspace != DNS_DB_NSEC_NORMAL) {
 				qpdbiter->node = NULL;
 				result = ISC_R_NOMORE;
 			}
@ -4334,10 +4334,10 @@ dbiterator_first(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 		 * If we hit an NSEC node, we need to start at the NSEC3 part of
 		 * the tree.
 		 */
-		if (qpdbiter->node->nsec != DNS_DB_NSEC_NSEC) {
+		if (qpdbiter->node->nspace != DNS_DB_NSEC_NSEC) {
 			break;
 		}
-		INSIST(qpdbiter->node->nsec == DNS_DB_NSEC_NSEC);
+		INSIST(qpdbiter->node->nspace == DNS_DB_NSEC_NSEC);
 		/* FALLTHROUGH */
 	case nsec3only:
@ -4398,7 +4398,8 @@ dbiterator_last(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 				/* tree only has NSEC3 origin node. */
 				qpdbiter->node = NULL;
 				result = ISC_R_NOMORE;
-			} else if (qpdbiter->node->nsec != DNS_DB_NSEC_NSEC3) {
+			} else if (qpdbiter->node->nspace != DNS_DB_NSEC_NSEC3)
 			{
 				/* tree has no NSEC3 nodes at all. */
 				qpdbiter->node = NULL;
 				result = ISC_R_NOMORE;
@ -4423,10 +4424,10 @@ dbiterator_last(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 		 * If we hit an NSEC node, we need to seek the final normal node
 		 * of the tree.
 		 */
-		if (qpdbiter->node->nsec != DNS_DB_NSEC_NSEC) {
+		if (qpdbiter->node->nspace != DNS_DB_NSEC_NSEC) {
 			break;
 		}
-		INSIST(qpdbiter->node->nsec == DNS_DB_NSEC_NSEC);
+		INSIST(qpdbiter->node->nspace == DNS_DB_NSEC_NSEC);
 		/* FALLTHROUGH */
 	case nonsec3:
@ -4452,7 +4453,7 @@ dbiterator_last(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 						    (void **)&qpdbiter->node,
 						    NULL);
 			INSIST(result == ISC_R_SUCCESS);
-			INSIST(qpdbiter->node->nsec == DNS_DB_NSEC_NORMAL);
+			INSIST(qpdbiter->node->nspace == DNS_DB_NSEC_NORMAL);
 		}
 		break;
 	default:
@ -4548,7 +4549,8 @@ dbiterator_prev(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 				/* we hit the NSEC3 origin node. */
 				qpdbiter->node = NULL;
 				result = ISC_R_NOMORE;
-			} else if (qpdbiter->node->nsec != DNS_DB_NSEC_NSEC3) {
+			} else if (qpdbiter->node->nspace != DNS_DB_NSEC_NSEC3)
 			{
 				/* we hit a non-NSEC3 node. */
 				qpdbiter->node = NULL;
 				result = ISC_R_NOMORE;
@ -4573,11 +4575,11 @@ dbiterator_prev(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 		 * If we hit an NSEC node, we need to seek the final normal node
 		 * of the tree.
 		 */
-		if (qpdbiter->node->nsec != DNS_DB_NSEC_NSEC) {
+		if (qpdbiter->node->nspace != DNS_DB_NSEC_NSEC) {
 			break;
 		}
-		INSIST(qpdbiter->node->nsec == DNS_DB_NSEC_NSEC);
+		INSIST(qpdbiter->node->nspace == DNS_DB_NSEC_NSEC);
 		result = dns_qp_lookup2(qpdbiter->snap, &qpdb->common.origin,
 					DNS_DB_NSEC_NSEC, NULL, &qpdbiter->iter,
 					NULL, (void **)&qpdbiter->node, NULL);
@ -4598,7 +4600,7 @@ dbiterator_prev(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 						    (void **)&qpdbiter->node,
 						    NULL);
 			INSIST(result == ISC_R_SUCCESS);
-			INSIST(qpdbiter->node->nsec == DNS_DB_NSEC_NORMAL);
+			INSIST(qpdbiter->node->nspace == DNS_DB_NSEC_NORMAL);
 		}
 		break;
 	case nonsec3:
@ -4638,7 +4640,7 @@ dbiterator_next(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 	case nonsec3:
 		if (result == ISC_R_SUCCESS) {
 			/* we hit an NSEC or NSEC3 node. */
-			if (qpdbiter->node->nsec != DNS_DB_NSEC_NORMAL) {
+			if (qpdbiter->node->nspace != DNS_DB_NSEC_NORMAL) {
 				qpdbiter->node = NULL;
 				result = ISC_R_NOMORE;
 			}
@ -4662,10 +4664,10 @@ dbiterator_next(dns_dbiterator_t *iterator DNS__DB_FLARG) {
 		 * If we hit an NSEC node, we need to start at the NSEC3 part of
 		 * the tree.
 		 */
-		if (qpdbiter->node->nsec != DNS_DB_NSEC_NSEC) {
+		if (qpdbiter->node->nspace != DNS_DB_NSEC_NSEC) {
 			break;
 		}
-		INSIST(qpdbiter->node->nsec == DNS_DB_NSEC_NSEC);
+		INSIST(qpdbiter->node->nspace == DNS_DB_NSEC_NSEC);
 		result = dns_qp_lookup2(qpdbiter->snap, &qpdb->common.origin,
 					DNS_DB_NSEC_NSEC3, NULL,
@ -4814,10 +4816,10 @@ qpzone_addrdataset(dns_db_t *db, dns_dbnode_t *dbnode,
 		return DNS_R_NOTZONETOP;
 	}
-	REQUIRE((node->nsec == DNS_DB_NSEC_NSEC3 &&
+	REQUIRE((node->nspace == DNS_DB_NSEC_NSEC3 &&
 		 (rdataset->type == dns_rdatatype_nsec3 ||
 		  rdataset->covers == dns_rdatatype_nsec3)) ||
-		(node->nsec != DNS_DB_NSEC_NSEC3 &&
+		(node->nspace != DNS_DB_NSEC_NSEC3 &&
 		 rdataset->type != dns_rdatatype_nsec3 &&
 		 rdataset->covers != dns_rdatatype_nsec3));
@ -4884,7 +4886,7 @@ qpzone_addrdataset(dns_db_t *db, dns_dbnode_t *dbnode,
 		 * move on.
 		 */
 		qpznode_t *nsecnode = new_qpznode(qpdb, name);
-		nsecnode->nsec = DNS_DB_NSEC_NSEC;
+		nsecnode->nspace = DNS_DB_NSEC_NSEC;
 		(void)dns_qp_insert(nsec, nsecnode, 0);
 		qpznode_detach(&nsecnode);
 	}
@ -4935,10 +4937,10 @@ qpzone_subtractrdataset(dns_db_t *db, dns_dbnode_t *dbnode,
 	REQUIRE(VALID_QPZONE(qpdb));
 	REQUIRE(version != NULL && version->qpdb == qpdb);
-	REQUIRE((node->nsec == DNS_DB_NSEC_NSEC3 &&
+	REQUIRE((node->nspace == DNS_DB_NSEC_NSEC3 &&
 		 (rdataset->type == dns_rdatatype_nsec3 ||
 		  rdataset->covers == dns_rdatatype_nsec3)) ||
-		(node->nsec != DNS_DB_NSEC_NSEC3 &&
+		(node->nspace != DNS_DB_NSEC_NSEC3 &&
 		 rdataset->type != dns_rdatatype_nsec3 &&
 		 rdataset->covers != dns_rdatatype_nsec3));
@ -5584,7 +5586,7 @@ static size_t
 qp_makekey(dns_qpkey_t key, void *uctx ISC_ATTR_UNUSED, void *pval,
 	   uint32_t ival ISC_ATTR_UNUSED) {
 	qpznode_t *data = pval;
-	return dns_qpkey_fromname(key, &data->name, data->nsec);
+	return dns_qpkey_fromname(key, &data->name, data->nspace);
 }
 static void
--- a/tests/dns/qp_test.c
+++ b/tests/dns/qp_test.c
@ -45,75 +45,75 @@ bool verbose = false;
 ISC_RUN_TEST_IMPL(qpkey_name) {
 	struct {
 		const char *namestr;
-		uint8_t denial;
+		dns_namespace_t space;
 		uint8_t key[512];
 		size_t len;
 	} testcases[] = {
 		{
 			.namestr = "",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x02 },
 			.len = 1,
 		},
 		{
 			.namestr = ".",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x02, 0x02 },
 			.len = 2,
 		},
 		{
 			.namestr = "\\000",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x03, 0x03, 0x02 },
 			.len = 4,
 		},
 		{
 			.namestr = "\\000\\009",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x03, 0x03, 0x03, 0x0c, 0x02 },
 			.len = 6,
 		},
 		{
 			.namestr = "com",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x16, 0x22, 0x20, 0x02 },
 			.len = 5,
 		},
 		{
 			.namestr = "com.",
-			.denial = DNS_DB_NSEC_NSEC,
+			.space = DNS_DB_NSEC_NSEC,
 			.key = { 0x08, 0x02, 0x16, 0x22, 0x20, 0x02 },
 			.len = 6,
 		},
 		{
 			.namestr = "com.",
 			.space = DNS_DB_NSEC_NSEC3,
 			.key = { 0x09, 0x02, 0x16, 0x22, 0x20, 0x02 },
 			.len = 6,
 		},
 		{
 			.namestr = "com.",
-			.denial = DNS_DB_NSEC_NSEC3,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x0a, 0x02, 0x16, 0x22, 0x20, 0x02 },
 			.len = 6,
 		},
 		{
 			.namestr = "com.",
 			.denial = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x02, 0x16, 0x22, 0x20, 0x02 },
 			.len = 6,
 		},
 		{
 			.namestr = "example.com.",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x02, 0x16, 0x22, 0x20, 0x02, 0x18, 0x2b,
 				 0x14, 0x20, 0x23, 0x1f, 0x18, 0x02 },
 			.len = 14,
 		},
 		{
 			.namestr = "example.com",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x16, 0x22, 0x20, 0x02, 0x18, 0x2b, 0x14,
 				 0x20, 0x23, 0x1f, 0x18, 0x02 },
 			.len = 13,
 		},
 		{
 			.namestr = "EXAMPLE.COM",
-			.denial = DNS_DB_NSEC_NORMAL,
+			.space = DNS_DB_NSEC_NORMAL,
 			.key = { 0x07, 0x16, 0x22, 0x20, 0x02, 0x18, 0x2b, 0x14,
 				 0x20, 0x23, 0x1f, 0x18, 0x02 },
 			.len = 13,
@ -126,13 +126,13 @@ ISC_RUN_TEST_IMPL(qpkey_name) {
 		dns_fixedname_t fn1, fn2;
 		dns_name_t *in = NULL, *out = NULL;
 		char namebuf[DNS_NAME_FORMATSIZE];
-		uint8_t denial;
+		dns_namespace_t space;
 		in = dns_fixedname_initname(&fn1);
 		if (testcases[i].len > 1) {
 			dns_test_namefromstring(testcases[i].namestr, &fn1);
 		}
-		len = dns_qpkey_fromname(key, in, testcases[i].denial);
+		len = dns_qpkey_fromname(key, in, testcases[i].space);
 		if (verbose) {
 			qp_test_printkey(key, len);
 		}
@ -141,9 +141,9 @@ ISC_RUN_TEST_IMPL(qpkey_name) {
 		assert_memory_equal(testcases[i].key, key, len);
 		out = dns_fixedname_initname(&fn2);
-		dns_qpkey_toname(key, len, out, &denial);
+		dns_qpkey_toname(key, len, out, &space);
 		assert_true(dns_name_equal(in, out));
-		assert_int_equal(denial, testcases[i].denial);
+		assert_int_equal(space, testcases[i].space);
 		/* check that 'out' is properly reset by dns_qpkey_toname */
 		dns_qpkey_toname(key, len, out, NULL);
 		dns_name_format(out, namebuf, sizeof(namebuf));
@ -155,25 +155,25 @@ ISC_RUN_TEST_IMPL(qpkey_sort) {
 		const char *namestr;
 		dns_name_t *name;
 		dns_fixedname_t fixed;
-		uint8_t denial;
+		dns_namespace_t space;
 		size_t len;
 		dns_qpkey_t key;
 	} testcases[] = {
-		{ .namestr = ".", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = ".", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "\\000.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "\\000.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "\\000.\\000.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "\\000.\\000.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "\\000\\009.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "\\000\\009.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "\\007.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "\\007.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "example.com.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "example.com.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "EXAMPLE.COM.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "EXAMPLE.COM.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "www.example.com.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "www.example.com.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "exam.com.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "exam.com.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "exams.com.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "exams.com.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "exam\\000.com.", .denial = DNS_DB_NSEC_NORMAL },
+		{ .namestr = "exam\\000.com.", .space = DNS_DB_NSEC_NORMAL },
-		{ .namestr = "exam.com.", .denial = DNS_DB_NSEC_NSEC },
+		{ .namestr = "exam.com.", .space = DNS_DB_NSEC_NSEC },
-		{ .namestr = "exams.com.", .denial = DNS_DB_NSEC_NSEC },
+		{ .namestr = "exams.com.", .space = DNS_DB_NSEC_NSEC },
-		{ .namestr = "exam.com.", .denial = DNS_DB_NSEC_NSEC3 },
+		{ .namestr = "exam.com.", .space = DNS_DB_NSEC_NSEC3 },
-		{ .namestr = "exams.com.", .denial = DNS_DB_NSEC_NSEC3 },
+		{ .namestr = "exams.com.", .space = DNS_DB_NSEC_NSEC3 },
 	};
 	for (size_t i = 0; i < ARRAY_SIZE(testcases); i++) {
@ -182,7 +182,7 @@ ISC_RUN_TEST_IMPL(qpkey_sort) {
 		testcases[i].name = dns_fixedname_name(&testcases[i].fixed);
 		testcases[i].len = dns_qpkey_fromname(testcases[i].key,
 						      testcases[i].name,
-						      testcases[i].denial);
+						      testcases[i].space);
 	}
 	for (size_t i = 0; i < ARRAY_SIZE(testcases); i++) {
@ -194,13 +194,13 @@ ISC_RUN_TEST_IMPL(qpkey_sort) {
 			/* include extra terminating NOBYTE */
 			int keycmp = memcmp(testcases[i].key, testcases[j].key,
 					    len + 1);
-			if (testcases[i].denial == testcases[j].denial) {
+			if (testcases[i].space == testcases[j].space) {
 				assert_true((namecmp < 0) == (keycmp < 0));
 				assert_true((namecmp == 0) == (keycmp == 0));
 				assert_true((namecmp > 0) == (keycmp > 0));
 			} else {
-				uint8_t di = testcases[i].denial;
+				uint8_t di = testcases[i].space;
-				uint8_t dj = testcases[j].denial;
+				uint8_t dj = testcases[j].space;
 				assert_true((di < dj) == (keycmp < 0));
 				assert_true((di > dj) == (keycmp > 0));
 			}
@ -384,11 +384,11 @@ no_op(void *uctx, void *pval, uint32_t ival) {
 static size_t
 qpkey_fromstring(dns_qpkey_t key, void *uctx, void *pval, uint32_t ival) {
 	dns_fixedname_t fixed;
-	uint8_t denial = ival;
+	dns_namespace_t space = ival;
 	UNUSED(uctx);
 	dns_test_namefromstring(pval, &fixed);
-	return dns_qpkey_fromname(key, dns_fixedname_name(&fixed), denial);
+	return dns_qpkey_fromname(key, dns_fixedname_name(&fixed), space);
 }
 const dns_qpmethods_t string_methods = {
@ -406,7 +406,7 @@ struct check_partialmatch {
 static void
 check_partialmatch(dns_qp_t *qp, struct check_partialmatch check[],
-		   uint8_t denial) {
+		   dns_namespace_t space) {
 	for (int i = 0; check[i].query != NULL; i++) {
 		isc_result_t result;
 		dns_fixedname_t fn1, fn2;
@ -415,13 +415,13 @@ check_partialmatch(dns_qp_t *qp, struct check_partialmatch check[],
 		void *pval = NULL;
 		dns_test_namefromstring(check[i].query, &fn1);
-		result = dns_qp_lookup2(qp, name, denial, foundname, NULL, NULL,
+		result = dns_qp_lookup2(qp, name, space, foundname, NULL, NULL,
 					&pval, NULL);
 #if 0
 		fprintf(stderr, "%s%s %s (expected %s) "
 			"value \"%s\" (expected \"%s\")\n",
-			denial == DNS_DB_NSEC_NSEC3 ? "NSEC3:" : (denial == DNS_DB_NSEC_NSEC ? "NSEC:" : ""),
+			space == DNS_DB_NSEC_NSEC3 ? "NSEC3:" : (space == DNS_DB_NSEC_NSEC ? "NSEC:" : ""),
 			check[i].query,
 			isc_result_totext(result),
 			isc_result_totext(check[i].result), (char *)pval,
@ -460,18 +460,18 @@ check_partialmatch(dns_qp_t *qp, struct check_partialmatch check[],
 }
 static void
-insert_name(dns_qp_t *qp, const char *str, uint8_t denial) {
+insert_name(dns_qp_t *qp, const char *str, dns_namespace_t space) {
 	isc_result_t result;
 	uintptr_t pval = (uintptr_t)str;
-	uint32_t ival = (uint32_t)denial;
+	uint32_t ival = (uint32_t)space;
 	INSIST((pval & 3) == 0);
 	result = dns_qp_insert(qp, (void *)pval, ival);
 	assert_int_equal(result, ISC_R_SUCCESS);
 }
 static void
-delete_rootkey(dns_qp_t *qp, uint8_t denial) {
+delete_rootkey(dns_qp_t *qp, dns_namespace_t space) {
-	uint8_t d = dns_qp_bits_for_byte[denial + 48];
+	uint8_t d = dns_qp_bits_for_byte[space + 48];
 	dns_qpkey_t rootkey = { d, SHIFT_NOBYTE };
 	isc_result_t result = dns_qp_deletekey(qp, rootkey, 1, NULL, NULL);
 	assert_int_equal(result, ISC_R_SUCCESS);
@ -561,7 +561,7 @@ ISC_RUN_TEST_IMPL(partialmatch) {
 struct check_qpchain {
 	const char *query;
-	uint8_t denial;
+	dns_namespace_t space;
 	isc_result_t result;
 	unsigned int length;
 	const char *names[10];
@ -578,7 +578,7 @@ check_qpchainiter(dns_qp_t *qp, struct check_qpchain check[],
 		dns_qpchain_init(qp, &chain);
 		dns_test_namefromstring(check[i].query, &fn1);
-		result = dns_qp_lookup2(qp, name, check[i].denial, NULL, iter,
+		result = dns_qp_lookup2(qp, name, check[i].space, NULL, iter,
 					&chain, NULL, NULL);
 #if 0
 		fprintf(stderr,
@ -766,9 +766,9 @@ ISC_RUN_TEST_IMPL(qpchain) {
 struct check_predecessors {
 	const char *query;
-	uint8_t denial;
+	dns_namespace_t space;
 	const char *predecessor;
-	uint8_t pdenial;
+	dns_namespace_t pspace;
 	isc_result_t result;
 	int remaining;
 };
@ -800,13 +800,13 @@ check_predecessors_withchain(dns_qp_t *qp, struct check_predecessors check[],
 		result = dns_name_tostring(expred, &predstr, mctx);
 		assert_int_equal(result, ISC_R_SUCCESS);
-		result = dns_qp_lookup2(qp, name, check[i].denial, NULL, &it,
+		result = dns_qp_lookup2(qp, name, check[i].space, NULL, &it,
 					chain, NULL, NULL);
 #if 0
 		fprintf(stderr, "%s %s: expected %s got %s\n", check[i].query,
-			check[i].denial == DNS_DB_NSEC_NSEC3
+			check[i].space == DNS_DB_NSEC_NSEC3
 				? "NSEC3"
-				: (check[i].denial == DNS_DB_NSEC_NSEC
+				: (check[i].space == DNS_DB_NSEC_NSEC
 					   ? "NSEC"
 					   : "NORMAL"),
 			isc_result_totext(check[i].result),
@ -836,11 +836,11 @@ check_predecessors_withchain(dns_qp_t *qp, struct check_predecessors check[],
 		result = dns_name_tostring(pred, &namestr, mctx);
 #if 0
 		fprintf(stderr, "... expected predecessor %s %u got %s %u\n",
-			predstr, check[i].pdenial, namestr, ival);
+			predstr, check[i].pspace, namestr, ival);
 #endif
 		assert_int_equal(result, ISC_R_SUCCESS);
 		assert_string_equal(namestr, predstr);
-		assert_int_equal(ival, check[i].pdenial);
+		assert_int_equal(ival, check[i].pspace);
 #if 0
 		fprintf(stderr, "%d: remaining names after %s:\n", i, namestr);
@ -1606,7 +1606,7 @@ ISC_RUN_TEST_IMPL(fixiterator) {
 struct inserting {
 	/* Fixed size strings [32] should ensure leaf-compatible alignment. */
 	const char name[32];
-	uint8_t denial;
+	dns_namespace_t space;
 	/* Padding */
 	uint8_t pad1;
 	uint16_t pad2;
@ -1614,7 +1614,7 @@ struct inserting {
 struct check_delete {
 	const char *name;
-	uint8_t denial;
+	dns_namespace_t space;
 	isc_result_t result;
 };
@ -1628,11 +1628,11 @@ check_delete(dns_qp_t *qp, struct check_delete check[]) {
 		dns_qpchain_init(qp, &chain);
 		dns_test_namefromstring(check[i].name, &fn1);
-		result = dns_qp_deletename(qp, name, check[i].denial, NULL,
+		result = dns_qp_deletename(qp, name, check[i].space, NULL,
 					   NULL);
 #if 0
 		fprintf(stderr, "%s %u %s (expected %s)\n", check[i].name,
-			check[i].denial, isc_result_totext(result),
+			check[i].space, isc_result_totext(result),
 			isc_result_totext(check[i].result));
 #endif
 		assert_int_equal(result, check[i].result);
@ -1679,7 +1679,7 @@ ISC_RUN_TEST_IMPL(qpkey_delete) {
 	dns_qp_create(mctx, &string_methods, NULL, &qp);
 	while (insert1[i].name[0] != '\0') {
-		insert_name(qp, insert1[i].name, insert1[i].denial);
+		insert_name(qp, insert1[i].name, insert1[i].space);
 		i++;
 	}
--- a/tests/libtest/qp.c
+++ b/tests/libtest/qp.c
@ -343,14 +343,14 @@ void
 qp_test_printkey(const dns_qpkey_t key, size_t keylen) {
 	dns_fixedname_t fn;
 	dns_name_t *n = dns_fixedname_initname(&fn);
-	uint8_t d;
+	dns_namespace_t s;
 	char txt[DNS_NAME_FORMATSIZE];
-	dns_qpkey_toname(key, keylen, n, &d);
+	dns_qpkey_toname(key, keylen, n, &s);
 	dns_name_format(n, txt, sizeof(txt));
 	printf("%s%s%s\n", txt,
-	       d == DNS_DB_NSEC_NSEC3 ? "NSEC3:"
+	       s == DNS_DB_NSEC_NSEC3 ? "NSEC3:"
-				      : (d == DNS_DB_NSEC_NSEC ? "NSEC" : ""),
+				      : (s == DNS_DB_NSEC_NSEC ? "NSEC" : ""),
 	       dns_name_isabsolute(n) ? "." : "");
 }